Is a cookie banner required?

In most cases yes, you need a cookie banner, but the precise answer depends on which cookies and tracking technologies you use. Under the GDPR and the German TTDSG (now part of the TDDDG), you must obtain a user's prior, informed, freely given consent before storing or reading any non-essential information on their device. That covers analytics, advertising pixels, remarketing tags, A/B testing, and embedded media that sets cookies. If you run any of those, you need a consent mechanism, and a passive banner that just says by using this site you agree is not valid consent. This is general information, not legal advice; for a binding assessment consult a qualified data protection lawyer.

The flip side: not every cookie needs consent. Strictly necessary cookies, the ones essential to deliver a service the user explicitly requested, are exempt. That includes things like keeping a shopping cart, a login session, language selection, or load-balancing. For those you do not need consent and ideally should not even present them as optional. The mistake many sites make is treating analytics or marketing cookies as essential, or hiding them inside a single accept all with no real choice. If your site is purely static with no analytics, ads, or third-party embeds, you may legitimately need no banner at all.

What makes a consent banner valid matters as much as having one. Consent must be opt-in, not opt-out: nothing non-essential may fire before the user actively agrees. Reject must be as easy as accept, typically an equally prominent button on the first layer, not buried two clicks deep. You cannot pre-tick boxes, you cannot use deceptive design (dark patterns) that nudges people toward accepting, and you must let users withdraw consent as easily as they gave it. German and EU regulators have been increasingly strict on equal-prominence reject buttons, so an accept all that dwarfs a tiny more options link is a common and risky mistake.

For advertisers there is a second layer that is easy to miss: Google and Meta now require Consent Mode v2 to keep conversion measurement and audience features working in the EEA. That means your consent banner has to communicate the user's choice to the ad platforms through consent signals, not just block or allow scripts on your own site. Get the banner legally compliant but technically disconnected from Consent Mode, and you will see conversion tracking quietly collapse. We cover the setup in our consent mode v2 guide.

Done well, a banner does not have to wreck your data. Server-side tagging combined with Consent Mode lets you respect consent while still receiving modeled conversions for users who decline, and a clean, fast, honest banner often achieves higher genuine consent rates than a manipulative one. The goal is not to trick people into accepting, it is to make the value clear, keep the choice real, and wire the technical signals so your measurement survives. Both protect you legally and keep your campaigns optimisable.

So is a cookie banner required for you? If you use any analytics, advertising, or non-essential third-party technology, plan on a compliant consent banner, opt-in, equal reject, no pre-ticks, with Consent Mode wired through to your ad platforms. If you truly run nothing beyond strictly necessary cookies, you may not need one. When you are unsure where your tags fall, an audit of what actually fires on your site (you will usually be surprised) is the right first step.